Australian businesses that don’t provide evidence of their cyber security resilience are missing on headwinds from investors, a new report has claimed.
This is according to audit, tax and consulting provider RSM Australia’s thinkBig Cyber Security report, which stated 17.68 per cent of the 147 companies that listed on the Australian Securities Exchange (ASX) during the 2020-21 financial year mentioned cyber security in their annual reports, leaving over 80 per cent that made no mention.
While this is up from 6.41 per cent of ASX inductees in the 2018-19 financial year that mentioned cyber security, as well as an increase from 10.86 per cent in 2019-20, RSM Australia claimed the quality and depth of reporting “has been consistently low”.
Darren Booth, RSM’s national head of cyber security and privacy risk services, said just 6 per cent of the 271 reports analysed over the three-year period provided a comprehensive insight into their cyber risk mitigation.
“Investors are increasingly aware that companies choosing not to invest in cyber security are at higher risk of significant financial and reputational loss,” Booth said.
“By omitting evidence of cyber resilience from annual reporting, or simply acknowledging an awareness of the risks without detailing proactive mitigation measures, the perception could be that the company has not adequately considered the risk of cyber security-driven litigation, claims, fines, penalties and reputational damage.
“This perception might not reflect reality and in fact well-capitalised start-ups are often cyber security conscious from early on, especially if experienced directors and investors are on the founder’s case about cyber resilience before they even launch.
“Less well-capitalised start-ups however often mistakenly assume they are of little interest to cyber criminals, but this is simply not the case.’’
Diving deeper into the lack of quality cyber security risk reporting, the report found “many” companies provided cyber threat information in a “boilerplate fashion”, typically found under the key risks and business challenges’ section of the report claiming that stolen personal data could result in litigation, claims, fines, penalties and reputational damage.
“Cyber threats, such as viruses, have been around since the dawn of the digital age, however the idea that organisations might have a legal responsibility to safely store and responsibly use the data they collect has been slow to take hold,” said RSM’s director of corporate finance Andrew Clifford.
“With the enormous shift of business online and the increase in the collection and storage of personal data, organisations are now responsible for disclosing any cyber breaches to customers and must alert the Office of the Australian Information Commissioner (OAIC).
“It is evident that managing these risks goes beyond the IT department as real shareholder value is at stake in both the short and long term. Boards should identify and treat cyber security as a business risk not just an IT risk.
“For example, making cyber security a priority might mean making ‘maintaining industry-leading cyber security’ one of the CEO’s KPIs, establishing a cyber risk committee or making strong data protection one of your start-ups' ESG commitments.
“Looking at overseas trends, directors could also soon be personally liable for failing to appropriately manage cyber security risks, as is already the case in Germany, the USA, Canada, South Africa and the UAE,” he added.